Windows Kernel Exports

The very large table on this page lists all the functions and variables—there
are more than two thousand—that appear in the export directory of any known x86
or x64 build of the Windows kernel.

For each name, the table gives just a brief summary of the applicable kernel
versions and of the status with respect to Microsoft’s documentation. This table
is intended only as a master list. Details of each export’s availability and documentation
status may be found by looking for the export in other lists, according to its first
version as shown here. In the Table of Contents, expand the entry for
Kernel Versions to get pages for each version.
This is how this study means you to find, for example, that although a function
of interest to you has been exported since Windows NT 3.1, it is said by Microsoft’s
documentation to be available only starting from Windows Server 2003 SP1, and that
even this wasn’t revealed until 2007. Some, presently very few, exports link directly
from this page to an attempt at independent documentation. Substantial explanatory
notes, especially about the different sources and degrees of documentation, follow
the table.

Names

Names are reproduced from the export directory of the NTOSKRNL.EXE executable.
All exports from the kernel are by name until version 6.2 introduces two that are
exported only by ordinal. Names for ordinal-only exports are inferred from symbol
files that Microsoft supplies for customer support. The ordinal is given in parentheses
immediately after the function’s name.

A few exports are of variables rather than functions. They are marked above by
the word “data” in parentheses. These notes talk of all as functions, hoping no
confusion will be caused by such loose terminology.

Since experience shows that this table is not always read with the knowledge
of an advanced programmer, it must be stressed that a function’s presence in the
export directory does not mean that the function is implemented non-trivially, let
alone that it will work satisfactorily if called. It means just that the function
can be imported by other modules, and be called by them, for better or worse. That
a function is first exported in some version does not mean that Microsoft supports
its use in that version, even if such support is documented for later versions.

Versions

The kernel versions shown for each function
are inferred from a study of public releases such as I have managed to find on old
MSDN discs or downloaded from Microsoft’s websites, whether free or requiring what
is nowadays called a Visual Studio subscription. My holdings are incomplete and
I anyway have no time for (or interest in) examining pre-release builds or hotfixes.
Of necessity then, the table makes what I hope are reasonable assumptions about
likely continuity, especially to suppose that a function will exist in future versions
or that a function exists in all builds of a version if no counter-example is yet
known. If you want more accurate or comprehensive information, try getting it from
Microsoft.

Documentation Status

Except where otherwise stated, the chosen reference for all comment on Microsoft’s
documentation of exported kernel functions is what Microsoft presents as Visual
Studio Documentation under the heading “Windows Driver Kit (WDK)”. As this documentation
says: “Windows Driver Kit (WDK) 10 is integrated with Microsoft Visual Studio 2015”.
The large file, named v2Windows_Development_Windows_Driver_Development_B974_VS_85_en-us_3.mshc,
from which this content is drawn appears to be as close as Microsoft now comes to
publishing WDK documentation as a self-standing, explicitly dated collection. The
file’s last modification date is 6th August 2015, which to my mind means it can
reasonably be taken as Microsoft’s definitive offering of documentation for Windows
10 as first released on 29th July 2015.

The previously chosen reference edition of the Windows Driver Kit (WDK) for all
comment on Microsoft’s documentation and programming support was version 7600.16385.0,
mostly with documentation dated to 18th June 2009 and header files to 13th July
2009. This was the WDK’s first public release for Windows 7.

Currency

Choosing one reference edition is not ideal for all purposes. Windows versions
that get released afterwards will inevitably add functions, which then will typically
not be listed above as documented until a new reference edition is adopted. I may
adjust for observations that I happen to come across, but please understand that
I do not intend to poll Microsoft’s websites to keep the documentation status up
to date. I may not even be able to sustain a programme of regularly updating this
list to match new choices of reference edition even years apart. If you want more
frequent updating, then please remember that this bookkeeping is done at my own
expense in the public interest: look instead for an alternative that is done commercially
or by academics who draw a salary.

History

There is also potentially a loss of history because any chosen reference edition
can be too recent. Of interest perhaps only to historians is that even documented
functions are sometimes discontinued, meaning specifically that later versions do
not export them. Do not rely on me to have searched old editions of the WDK to find
whether discontinued functions ever were documented.

Of potentially much wider interest is that new functions are often not documented
immediately by Microsoft and sometimes not for several years. That a function is
marked above as documented does not mean that it has always been documented, only
that it is documented in the chosen reference edition or that I have noticed later
documentation of it online. I tend to think that delayed documentation imposes significant
costs on and barriers to third-party software development. However, nobody can sensibly
consider the question without a careful account of the documentation history. For
as much precision as I happen yet to know about the history of a function’s documentation,
look for the function in the version lists. Please be aware that this is a work
in progress. For thousands of functions, each to be looked for in nearly a dozen
sources of documentation, there are bound to be some mistakes in my descriptions,
and my account of the history is anyway deficient for not having found an Installable
File System (IFS) Kit for any release of Windows XP or Windows Server 2003.

The IFS Kit is especially notable in this context of delayed documentation. Of
the kernel functions that Microsoft does document, a significant proportion (not
quite a third) are documented in the WDK only by the relatively recent inclusion
of the IFS Kit which was for many years not nearly as readily available as was the
ordinary Device Driver Kit (DDK). According to stories that can still be found on
the Internet, Microsoft’s practice if only in the early years of Windows was that
the IFS Kit was not just very expensive, relative for instance to an MSDN subscription,
but also was sold only under some sort of Non-Disclosure Agreement. If the latter
is true, then functions that were documented only in the IFS Kit were undocumented
in effect, at least in the early years. In any case, even the IFS Kit didn’t come
with formal documentation until Windows 2000.

Classifications

For some functions, the whole of Microsoft’s documentation is that the function
is reserved for use by the system. Undocumented functions are occasionally promoted
to reserved. Only very rarely is a reserved function later documented with any substance.
That a function is marked above as “reserved” means that the only known mention
of it in the current reference edition of Microsoft’s documentation is to say some
such thing as that the function is reserved for the system and is not to be used
in drivers. The function may have its own page, and even be given with a prototype
and other details, or it may just appear in a list of names.

Other functions are said to be obsolete. These often are given with prototypes
and sometimes with substantial documentation, presumably from before the function
became obsolete. A few were already obsolete as early as the Windows NT 4.0 DDK
and a few others seem to have gone directly from undocumented to obsolete. That
a function is marked above as ”obsolete” means that its page of documentation in
the current reference edition is anything from slight to substantial but includes
a remark that the function is obsolete without qualification. That a function is
documented as obsolete for specified (typically recent) versions does not make it
obsolete for this list but is a detail that may be recorded separately in the version
lists.

Even for the functions that Microsoft does document non-trivially, Microsoft
provides no master list. Documentation is scattered through the WDK. I see no easy
way to automate a search and I have not typed the name of every function into the
(surprisingly primitive) search pane of the Document Explorer or Microsoft Help
Viewer or whatever. I have marked a function as documented if I have seen in the
Contents pane that the function has its own page anywhere under numerous applicable
headings. That a function is not marked above as “documented” (or is marked on other
pages as “undocumented”) does not mean for certain that Microsoft does not document
it, just that I haven’t yet found where (including because I haven’t cared enough
to look harder).

Some exports, especially of variables, are documented indirectly in the sense
that a WDK header file defines a macro for access to the variable and the macro
is documented. Such cases as I have found for the table are marked above by appending
“macro” in brackets. To learn the identity of the macro, follow the export into
the version lists.

A handful of functions have user-mode equivalents, with the same prototypes,
which are documented in the Software Development Kit (SDK). The user-mode documentation
of such functions appears to be good for kernel-mode. These functions are marked
in the table as documented but with SDK appended in parentheses. There may be more
to find of these.

While on the matter of equivalent user-mode documentation, special mention must
be made of NTDLL. Many kernel-mode functions whose names start with Nt, Rtl or Zw
also exist as user-mode functions exported from NTDLL. The WDK seems intended not
just for kernel-mode programming but also for user-mode programming of the low-level
sort that deals directly with NTDLL rather than with the base modules of the Win32
subsystem, e.g., with KERNEL32. Unfortunately, the WDK documentation and header
files rarely state explicitly whether what is said of a function is meant just for
the kernel or also for NTDLL or just for NTDLL. I have not yet worked out how to
record this in the lists.

Finally, the kernel implements a selection of functions from the C Run-Time (CRT)
Library. Some are not documented even for the CRT because in practice all calls
to them are generated by the compiler, but most are the sort of utility functions
that no C or C++ programmer would want to be without. They could be supported through
a kernel-mode DLL, but since the kernel uses them anyway, the implementations in
the kernel are as well to be exported. The CRT documentation is good for these,
even though the functions are not formally documented as being exported from the
kernel. These functions are marked in the table by adding CRT in parentheses.

Of the kernel functions that seem to have no formal documentation, many are at
least declared in one or another header file from the WDK. Functions that are declared
but not documented often do get documented before long.

Special mention must be made of some declarations that Microsoft published with
the Enterprise WDK for the 1511 release of Windows 10. In that edition, and apparently
in that edition only, a subdirectory named “minwin” of what look intended as user-mode
inclusions has several headers that declare functions and define structures that
have little or nothing to do with user-mode programming but are a treasure trove
of kernel-mode material that Microsoft has otherwise kept very much to itself for
decades. Functions for which Microsoft’s names and types for arguments are known
only through this plausibly accidental disclosure are marked in the table by adding
“minwin” in parentheses.

As a quick summary, just over half of all kernel exports are documented, including
just to say that the function is obsolete or reserved. The flip side is that roughly
30% of exports from the Windows kernel are completely undocumented, without even
a declaration in a WDK header file.

Many of the undocumented functions are imported by the HAL. These would likely
be documented in some HAL Development Kit, not that such a thing is public. Even
regarded as undocumented functions, they are arguably internal to Windows, intended
just for the private communication of HAL and kernel. Some other undocumented kernel
exports surely are used by drivers and other kernel-mode modules that are written
by Microsoft and supplied with Windows but whose replacement by third-party software
is at least conceivable. Identifying such cases is left for another time.

This page was created on 20th April 2009 and was last modified
on 23rd March 2019.